We are receiving the following warning message on a high traffic database server with system audit enabled to log successful logins:

"Audit writer process does not keep up with the volume of generated audit events. Some events might be missed. If you see recurring messages of this type, consider increasing audit queue size."

Based on that warning, my instinct was to increase the Audit queue size in config to something much larger than the default of 2MB; however when reading the DB Audit User Guide I am confused by the following sentences in the "Important Notes" section:

Important Notes: Small values lead to a greater database performance impact caused by the auditing. On the contrary large values reduce the impact but lead to a greater time lag between event occurrence and recording and ultimately may cause event misses

I am interpreting that as if I increase the size of the queue, I could possibly miss events; however the warning message contradicts the "important note" and is stating that the queue size should be increased because it's not able to capture all of the events. So should I actually increase the queue size? If so, how can I gauge what size to increase it to?

Tue Jul 22, 2014 5:05 pm

SysOpSite Admin

Joined: 26 Nov 2006Posts: 6739

I believe it's saying that the bigger the queue, the longer it may take the system to flush it to the disk (audit trail table)

As for the high volume issue and the system not being able to save events as fast as the occur, I suggest checking already saved events and figuring out what's causing such high volume, then setting appropriate audit filters to ignore unimportant noise (events, users, or applications you don't care about)

Tue Jul 22, 2014 6:20 pm

jr0214

Joined: 22 Jul 2014Posts: 2Country: United States

Thanks for the clarification.

I was able to determine that one of our applications using that database server is logging an insane amount of successful logins each time a user logs in. For now I've filter that application out.